For me the last two weeks or so have involved a lot of wrestling with SSL certificates. One of the things that took some time to figure out was how to piggy-back on the tools provided by different Operating Systems to manage certificates. We did not want to rewrite NSS. Luckily for us, all the major OSes provide tools to manage certificates from the command line.
Windows
Windows provides two ways to deal with certificates from the command line - Certutil and certmgr.exe. We decided to go with Certutil because it is present out of the box on Windows 7 and Windows Server 2008, while certmgr.exe is part of the .Net runtime. This blog post will deal with Certutil.
Adding a certificate
certutil.exe -addstore -user root foo.crt
This will install the foo.crt
certificate to the Trusted Root Certification Authorities store for the current user.
View certificates in a store
certutil.exe -viewstore -user root
This will list all the certificates in the Trusted Root Certification Authorities store for the current user. One drawback is that it throws up a Window to list as opposed to using STDOUT for output.
List certificates in a store
certutil.exe -user -store root
This will list all the certificates in the Trusted Root Certification Authorities store for the current user to STDOUT.
There are more detailed explanations here.
Mac OS X
Mac OS X ships the security tool to let the user manage certificates and keychains.
Adding a certificate
security add-certificate foo.crt
security add-trusted-cert foo.crt
The first line will add foo.crt
to the current user’s keychain, while the second line ensures that the newly added certificate is trusted. This would mean that the certificate will be trusted for SSL, EAP and Code Signing. To get more fine grained control over what to trust the certificate for, the -p (policy)
flag can be used.
security add-trusted-cert -p ssl foo.crt
This will trust the certificate only for SSL interactions.
Listing certificates
security find-certificates -a -e [email protected]
This would list all the certificates where e-mail address of the issuer [email protected]
. Other fields that can be used for matching include -c (name)
.
Linux
On Linux, the best we could find was certutil which is part of Mozilla’s NSS project.
Adding a certificate
certutil -A -d sql:~/.pki/nssdb -t C -n "Certificate Common Name" -i foo.crt
This will add foo.crt
to the certificate database ~/.pki/nssdb
. This is where applications like Chromium look for certificates.
Listing certificates
certutil -L -d sql:~/.pki/nssdb -n "Certificate Common Name"
This will list the certificates in the ~/.pki/nssdb
with the common name “Certificate Common Name”.
Firefox
While the above steps work fine for pretty much all applications on the three OSes, Firefox does things in it’s own way. Firefox implements NSS and hence does not look at the certificates the OS knows about. One solution to manage certificates from the command line will be to install certutil and point it at the cert.db
certificate database in your Firefox profile directory. Alternatively, one could do the following
- Launch Firefox with a blank profile
- Accept the certificates we are interested in.
- Save a copy of the
cert8.db
file. - Import this database to the profiles we wish to run Firefox on.
While copying the database is not as clean a solution as using certutil, we decided to go with the second option because there is no guarantee that certutil will be present on the user’s box, especially if they are running Windows or Mac OS X. And we had a fairly high control over the Firefox profiles.